New research from cybersecurity firm Rapid7 has shown that the ransomware attacks facing IT and security professionals in APAC are far from uniform, and they would be better off taking advantage of intelligence that sheds light on ransomware trends. attack in your specific jurisdiction or sector.
Raj Samani, chief scientist at Rapid7, said real ransomware threats often differ from assumptions based on news coverage. The attack surface investigation revealed significant existing vulnerabilities, such as open ports and storage buckets and leaked credentials, he added.
How ransomware threats in Asia and the Pacific differ by jurisdiction and sector
Rapid7 research into ransomware activity in Asia-Pacific, conducted during the last half of 2023, found differences by company location and industry, indicating that organizations that take a general approach to ransomware defense ransomware could be missing key information.
For example, the most common ransomware group targeting Australia was ALPHV or BlackCat. The group was found to primarily target the financial sector, with some activity in the government and education sectors. The next largest group was Trigona, followed by 8Base (Figure A).
Figure A
Japan was also the most attacked by ALPHV, although the greatest impact was felt by the technology sector, followed by manufacturing (Figure B). The next most important attack groups for Japan were LockBit 3.0, again targeting manufacturing, and Royal, targeting the financial and technology industries.
Figure B
A side-by-side comparison of Australia with India shows that although many threat groups appear in both countries, there are differences in the prevalence of ransomware groups in different sectors; For example, LockBit 3.0 is important in the Indian financial sector, but not in Australia (Figure C).
Figure C
More deviation between sectors than expected by Rapid7 researchers
Rapid7 found that the range of threat groups was quite broad for regionally targeted ransomware campaigns, but the group that was most prevalent varied by geography or targeted sector. “We expected greater overlap between threat actors across sectors,” Samani said.
“What was interesting was the delineation and deviation of common threat groups in the Asia-Pacific,” Samani explained. “We can see from the data that there are active ransomware groups specifically attacking individual sectors or specific countries in APAC.”
Samani added that while a CISO in Indonesia, Malaysia or China might be hearing a lot about LockBit or ALPHV, there may be other ransomware threat groups to worry about. “There are many other threat groups that are very successful at flying completely under the radar and that no one talks about.”
Attack surface leaves organizations open to man-in-the-middle access
One worrying finding was how open organizations are to ransomware attacks. “We looked at the attack surface of sectors within markets like Australia and asked if attackers were going to do reconnaissance and get in for a ransomware attack, is this an easy thing to do?”
Rapid7 found that while “windows and doors” were not left open for attackers, they were left “unlocked.” Samani cited the number of open ports and storage buckets, access and availability of leaked credentials, as well as unpatched systems in the region.
“These things are not glamorous or exciting. But by looking at whether there are open or test systems on the Internet, or whether storage repositories are blocked, it is starting to make it more difficult for access brokers, who are experts at gaining access and selling it to threat groups.”
Rapid7's analysis used machine learning to analyze the external access surface of multiple sectors within the APAC region during the last half of 2023. It processed available data “beyond openRDP and unpatched systems”, including leak sites and sets of compromised data.
Boost ransomware defense with an intelligence-driven approach
Ransomware attacks are increasing in Asia and the Pacific. TO recent IB-Group report found that, according to companies with information posted on ransomware data leak sites, regional attacks increased by 39% to a total of 463, with the majority (101) occurring in Australia.
SEE: Cybersecurity trends to watch in Australia in 2024
Rapid7 recommends that Asia-Pacific organizations take a more nuanced, intelligence-driven approach to addressing ransomware risk. Samani said they should not prioritize or “speculate based on headlines involving organizations around the world.”
“Everyone is talking about the same ransomware families. But no one has sat back and said, 'Well, that doesn't really apply here, what applies here is this group,'” Samani explained.
The firm maintains that combining external attack surface management and actionable intelligence to identify assets with vulnerabilities that are being exploited in the wild should be the highest priority, especially when an attributed ransomware campaign targets sector or geography of the organization.
“Getting that visibility and intelligence is crucial,” Samini said. “That level of intelligence means you know who you're up against and how to protect yourself.”
